On May 12, 2021, President Joe Biden signed Executive Order 14028, entitled “Improving the Nation’s Cybersecurity”. This EO, released in the wake of the Colonial Pipeline hack, is intended to address some of the limitations and challenges facing federal agencies and their contractors in the federal and defense spaces.
What does this EO actually do? Here we’ll cover some of the big picture items of the EO and how this might impact DoD and federal IT contractors.
In this article, we will cover
- The SolarWinds and Colonial Pipeline hacks, and how they have helped set the stage for renewed interest in cybersecurity.
- The key areas of coverage in the EO, including its stated intent and goals.
- The potential impact of the EO on cybersecurity frameworks like FedRAMP, CMMC, RMF or others.
- How SecureStrux can help you prepare for compliance.
What are the SolarWinds and Colonial Pipeline Hacks?
Over the past 6 months, the U.S. has seen two significant cyber threats emerge to undermine national security: the SolarWinds hack and the Colonial Pipeline ransomware attack.
SolarWinds is a U.S IT company providing cloud and network management tools used by some of the largest companies in the country, including recognizable brands like Microsoft, Cisco and security agency FireEye. This hack also potentially compromised systems in the Treasury and Commerce Department, the State Department and the Department of Homeland Security (among others). It was FireEye who first came across the attack vector for this attack (an exploit embedded in patch updates) and determined the culprits were most likely Russian in origin and had most likely compromised the original systems months prior.
In an unrelated attack, Colonial Pipeline (a major U.S. pipeline system supporting oil and gas transport throughout the Southwestern United States) was the victim of a cyberattack. On May 7, 2021, their computer systems were hijacked with ransomware in which the attackers demanded 7 bitcoins ($5 million), making it the largest attack on oil infrastructure in the history of the U.S. it’s also considered likely that the attackers stole 100 GB of data from the company before the ransomware attack.
What these two attacks demonstrate is that cyber threats are becoming increasingly sophisticated and that hackers (whether associated with foreign governments or simply operating as criminal organizations) are targeting critical infrastructure. Because governmental, industrial and commercial systems are also increasingly utilizing cloud technology offered by a select few vendors, the risk of a devastating attack only becomes more pronounced.
President Biden’s Executive Order on Cybersecurity
To address this perceived gap in our understanding of cybersecurity and national infrastructure, President Biden’s EO to address cybersecurity emphasizes key areas of importance:
Modernize cybersecurity standards: The EO specifically calls for the implementation of a zero-trust architecture for the federal government and associated cloud services, and to update the collected standards in place now to better attend to modern cybersecurity challenges.
Improve supply chain security: A strengthening of application and software security is a priority. This includes more transparent security reporting for public review, innovating public-private security relationships and tightening down on the risk assumed by shipping software with known vulnerabilities. Additionally, it calls for the establishment of a program and rating system to denote secure technology—much like the Energy Star designation for appliances.
Creating a playbook: Standardizing responses and security requirements for hack and disaster recovery through a “playbook”. The emphasis here is to create a standard maturity level for security and response across all agencies and supply chain contractors.
Improving investigation, detection and remediation for IT and network infrastructure: This EO calls for the government to lead the way in terms of implementing strong and mature detection, mitigation and remediation efforts for federal networks and platforms. This also includes expanding information sharing across different agencies to address security flaws and attacks.
While these are broad categories, there are specific technical categories, practices and procedures that it relies on to ensure security.
What Does Biden’s Executive Order Mean for Companies Working with the Government?
Changing anything in the government is an endeavor that is better measured in geological time. This is a problem that the EO intends to address by standardizing and codifying security standards across all agencies.
For starters, it seems like the EO requires a “software bill of sales” that details the software included in a product and its potential vulnerabilities. This means that contractors and agencies can more quickly and accurately manage their risk (even during assessments for compliance requirements in RMF or CMMC) without having any surprises pop up.
Additionally, the EO includes the directive to develop a review and labeling system for vendors and their products. While this could seemingly add time and labor to development, a standardized and formal labeling system could help bolster security and cut development costs in the long run once widely adopted by vendors and contractors.
It also looks like the government will drive the adoption of a standard playbook not only for federal agencies but for high-risk businesses and vendors in important industries. The first drafts of these playbooks and procedures are set to come out within the next 60-120 days, which could give businesses a chance to see how this kind of standardization will play out.
Finally, the EO leans heavily on the notion of zero-trust. The EO notes that the current infrastructure is outdated, and it is time to lean on more restrictive models of data security.
Is this all for the better? A standardized security response approach built on zero-trust principles could be a huge boon to the industry. However, it will require follow-through and widespread adoption by companies in DIBNet and DoD supply chain space. If not, a completely top-down approach that doesn’t take costs and labor into account could just slow down the necessary progress to protect important U.S. infrastructure in the public and private sectors.
If you are an IT provider working with federal or DoD clients, this EO could have an impact on your compliance requirements. It’s important to work with someone who can support real security implementation with decades of expertise. Learn more about SecureStrux and how we can be the partner that helps you navigate changes in cybersecurity, governance and risk assessment.